Forum Discussion
Searching by more than one field when using a watch list
Ofer_Shezaf I would definitely say this is easier to read and quicker to write (especially when you have a lot of query to go through):
| search NOT [| inputlookup LOOKUP | fields src dest dest_port app protocol url]
than this:
| where SrcIP !in ((_GetWatchlist('LOOKUP') | project SrcIP))
| where Dest !in ((_GetWatchlist('LOOKUP') | project Dest))
| where DestPort !in ((_GetWatchlist('LOOKUP') | project DestPort))
| where App !in ((_GetWatchlist('LOOKUP') | project App))
| where Protocol !in ((_GetWatchlist('LOOKUP') | project Protocol))
| where Url !in ((_GetWatchlist('LOOKUP') | project Url))
Even more so when you have 3 or 4 lookups to correlate and you can end up with 10+ lines of KQL just for a few lookups.
Is there a better way to store this information and correlate it in Sentinel?
ChristopherKerry Ofer_Shezaf
To expand on this:
| search NOT [| inputlookup LOOKUP | fields src dest dest_port app
Splunk is parsing all the fields or columns you currently have available and matching them to the lookup, it then compares the value of that field and when it finds a match removes the result from our search.
I suppose a less verbose but similar approach in KQL land would be:
| where (SrcIP or User or Dest) !in ((_GetWatchlist('WL_Global') | project user, src, dest
Currently, the above doesn't work and you do have to individually split out your where filtering:
I can see both sides, but it's far more verbose in KQL making readability more of a struggle.
- Javier-Soriano
Microsoft
Tagging UriBarash and Deepak Agrawal for visibility
